From 9d03c89c02162e8885ee705f60a7b1343cbc824d Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Wed, 12 May 2021 20:16:55 -0700
Subject: [PATCH] chore: Return new permissions-policy header on app pages
 closes #2040

---
 server/app.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/app.js b/server/app.js
index 7db61be2..8f7631e9 100644
--- a/server/app.js
+++ b/server/app.js
@@ -168,7 +168,12 @@ app.use(mount("/auth", auth));
 app.use(mount("/api", api));
 
 // Sets common security headers by default, such as no-sniff, hsts, hide powered
-// by etc
+// by etc, these are applied after auth and api so they are only returned on
+// standard non-XHR accessed routes
+app.use(async (ctx, next) => {
+  ctx.set("Permissions-Policy", "interest-cohort=()");
+  await next();
+});
 app.use(helmet());
 app.use(
   contentSecurityPolicy({